Networking¶
GCP (europe-west8)¶
Each environment runs in its own VPC with a single subnet. Networks are fully isolated — there is no peering between environments.
VPCs and Subnets¶
| Environment | VPC Name | Subnet CIDR | Region |
|---|---|---|---|
| Development | dev-network |
10.0.2.0/24 |
europe-west8 |
| Staging | staging-network |
10.0.1.0/24 |
europe-west8 |
| Production | production-network |
10.0.0.0/24 |
europe-west8 |
All VPCs are created with auto_create_subnetworks = false — only the explicitly defined subnet exists in each.
Static IPs¶
Each VM has a reserved internal IP and a dynamically allocated external IP.
| Environment | VM | Internal IP | Zone |
|---|---|---|---|
| Development | Backend | 10.0.2.3 |
europe-west8-b |
| Development | Compute | 10.0.2.2 |
europe-west8-c |
| Staging | Backend | 10.0.1.3 |
europe-west8-b |
| Staging | Compute | 10.0.1.4 |
europe-west8-b |
| Production | Backend | 10.0.0.2 |
europe-west8-b |
| Production | Compute | 10.0.0.3 |
europe-west8-b |
External IPs are named {environment}-{backend|compute}-ip and allocated per environment.
Firewall Rules¶
All environments share the same rule structure, prefixed with the environment name (e.g., production-allow-ssh).
| Rule | Ports | Source | Target | Purpose |
|---|---|---|---|---|
{env}-allow-ssh |
TCP 22 | 0.0.0.0/0 |
All VMs | SSH access (key-based only) |
{env}-allow-http |
TCP 80, 443 | 0.0.0.0/0 |
backend tag |
Public HTTP/HTTPS via Caddy |
{env}-allow-internal |
TCP 9000 | backend tag |
compute tag |
Backend → Compute API |
{env}-allow-compute-redis |
TCP 6479 | backend tag |
compute tag |
Backend → Compute Redis |
Network tags applied to VMs:
| VM | Tags |
|---|---|
| Backend | ssh, http, backend |
| Compute | ssh, compute |
Traffic flow: - Inbound: Users → Caddy (port 80/443) on Backend VM - Internal: Backend → Compute API (port 9000) and Compute Redis (port 6479) - SSH: Open to all IPs, secured by SSH key authentication (keys managed in Terraform metadata)
DNS (Cloudflare)¶
DNS is managed via Terraform using the Cloudflare provider (~> 5.0). The zone is sartiq.com (c46b002fb445803c7d25dc3a03693ccd).
A Records¶
All A records point to Backend VM external IPs (Caddy handles routing).
| Subdomain | Target | Notes |
|---|---|---|
api |
Production backend | Production API |
staging-api |
Staging backend | Staging API |
dev-api |
Dev backend | Dev API |
compute-api |
Production backend | Production Compute (proxied via Caddy) |
compute-api-staging |
Staging backend | Staging Compute |
compute-api-dev |
Dev backend | Dev Compute |
docs |
Production backend | Documentation |
docs-mcp |
Production backend | MCP documentation |
ai-toolkit |
Production backend | AI toolkit |
garment-accuracy |
Production backend | Garment accuracy app |
lakefs |
Production backend | LakeFS UI/API |
*.dev |
34.154.18.83 |
Dev wildcard (GCP-Sartiq-Dev-01) |
@ |
216.150.1.1 |
Root domain |
CNAME Records¶
| Subdomain | Target | Notes |
|---|---|---|
app |
Vercel DNS | Production web app |
staging-app |
Vercel DNS | Staging web app |
media |
Cloudflare R2 (public.r2.dev) |
Production media CDN |
staging-media |
Cloudflare R2 | Staging media CDN |
dev-media |
Cloudflare R2 | Dev media CDN |
www |
sartiq.com |
www redirect |
Other Records¶
| Type | Name | Value | Notes |
|---|---|---|---|
| MX | @ |
smtp.google.com |
Google Workspace |
| TXT | @ |
Google site verification | Domain ownership |
Related Documentation¶
- Infrastructure Overview — Cloud providers and architecture
- IAM & Service Accounts — GCP service accounts and permissions
- Server Fleet — Per-machine details